This issue affects all versions of VaultWiki 4.x on vBulletin, including VaultWiki Lite. This issue does NOT occur on XenForo platforms.
Please note that this vulnerability has been labeled as minor, because a user cannot knowingly exploit it, and because a user cannot escalate beyond the "Yes" values of their most permissive usergroup.
Nevertheless, we have published the following Patch Level releases to resolve this issue:
- 4.0.2 Patch Level 1
- 4.0.1 Patch Level 4
- 4.0.0 Patch Level 4
- 4.0.0 RC 5 Patch Level 3
- 4.0.0 RC 4 Patch Level 4
- 4.0.0 RC 3 Patch Level 5
- 4.0.0 RC 2 Patch Level 5
- 4.0.0 RC 1 Patch Level 5
Details
In versions prior to 4.0.2 only, permissions from a user's secondary member groups will still be applied even if the user's primary usergroup does not allow the user to receive permissions from secondary groups (common for "banned" usergroups). Thus, the user's permissions escalate to those allowed by secondary member groups.In 4.0.2 only, permissions from a user's secondary member groups are completely ignored. Thus, if a secondary member group provides the Never value for the same permission that the primary usergroup provides a Yes value, the Yes value is used instead. Thus, the user's permissions escalate to those allowed by the primary usergroup.
Both variations are resolved by the newest patches.
Do I Need to Apply This Patch?
If you are running VaultWiki 4.0.1 or lower on vBulletin and any of your users in "banned" usergroups have secondary member groups or might in the future, we HIGHLY recommend updating to one of the aforementioned patched releases. If you are running VaultWiki 4.0.2 on vBulletin and you use "Never" values for permissions, we HIGHLY recommend updating to 4.0.2 Patch Level 1.If these conditions do not apply to you but you are running VaultWiki 4.0.2 on vBulletin and you simply rely on secondary member groups to receive wiki permissions, we recommend that you update to 4.0.2 Patch Level 1 to regain the ability to perform actions within the wiki.